On 09/16/2011 11:11 AM, Ed Heron wrote:
On Fri, 2011-09-16 at 10:46 -0700, Eric Shubert wrote:
... Now, take all of your ideal logical servers (and the networking which ties them all together), and make them VMs on your host. I've done this, and these are the VMs I presently have (the list is still evolving): .) net (IPCop distro, provides network services, WAN/DMZ/LAN) .) web (DMZ/STOR) .) ftp (DMZ/STOR) .) mail (DMZ/STOR) .) domain control (LAN/STOR) .) storage (LAN/STOR)
One aspect that we haven't touched on is network topology. I have 2 nics in the host, one for WAN and one for LAN. These are both bridged to the appropriate subnet. I also have host-only subnets for DMZ and STORage. The DMZ is used with IPCop port forwarding giving access to services from the internet. The STOR subnet is sort of a backplane, used by servers to access the storage VM, which provides access to user data via SMB, NFS, AFP, and SQL. All user data is accessed via this storage VM, which has access to raw (non-virtual) storage. ...
If I'm understanding you, if you split this out to multiple physical hosts, you would need to convert DMZ and STOR from virtual to physical segments; increasing the number of required network interfaces in each host to 4.
Correct. I have done this with DMZ to provide wireless access (putting a wireless router on the DMZ).
Are you concerned that your hosts are connected to WAN without a firewall?
I am not concerned. The only machine connected/accessible to WAN is the IPCop VM. Everything from/to the WAN goes through IPCop.
I assume you bridge the interface without assigning IP address?
Right, there is no IP address (169.254.x.x or 0.0.0.0) on the WAN interface of the host. The WAN interface on the host is not accessible, only bridged to IPCop red/wan interface.
What software do you use for storage. I'd think having the host handle integrated storage would be simpler, but, of course, that doesn't scale to multiple hosts...
I simply use a linux host, with nfs, samba, netatalk and mysql. Whatever you prefer would do.
Although the host handles the physical i/o, I still like having a separate storage VM. I think it simplifies things a bit when it comes to monitoring and tuning, and it's better security-wise too. I don't think it's a good idea to have any more services than needed running on the host.
Thanks for the questions. I'm sure I left out a few things. ;)